07-13-2023 10:49 AM
We are working through a conversion to Global Protect VPN from Anyconnect and have hit the stage where users are griping about how global protect operates (we are connect on demand). #1 Gripe I am getting is that there is no prompt/pop up from GP when it disconnects and also no pop up when it reconnects. I have scoured through the settings and cannot seem to see any option to enable that.
#2 gripe has been that we did not enable users to extend their session beyond the connection timeout. I see there is a portal setting to "allow user to extend global protect user session: yes/no". I presume since there is not further settings in this regard it would allow users to extend connections an unlimited number of times so long as they click extend on a box whenever they near the end of their timer.
Anyone have any other settings that made a tremendous difference for the users to keep them from sharpening their pitchforks?
07-13-2023 11:21 AM
For the first gripe, I'm not sure that there's an option to display disconnect pop-ups or reconnecting like AnyConnect. There used to be a setting that actually sort of mimicked this behavior, but it was removed during one of the redesigns as far as I'm aware. Maybe ensuring that the GlobalProtect icon shows up in the system tray would be at least a compromise, as there's something they can visibly see to check connectivity status.
The second one, if you're running PAN-OS 11.0 and later you can actually configure end-user notifications about timeouts for GlobalProtect. I wouldn't necessarily recommend deploying 11 in production just yet, but maybe you could give them the notice that it'll at least be changing as soon as 11 is in a good spot.
As far as the 'Allow user to extend GlobalProtect User Session' option goes, while that will show in 10.2 and lower it won't have any affect. That option will only actually function on 11.0 and higher as far as I'm aware.
07-13-2023 11:21 AM
For the first gripe, I'm not sure that there's an option to display disconnect pop-ups or reconnecting like AnyConnect. There used to be a setting that actually sort of mimicked this behavior, but it was removed during one of the redesigns as far as I'm aware. Maybe ensuring that the GlobalProtect icon shows up in the system tray would be at least a compromise, as there's something they can visibly see to check connectivity status.
The second one, if you're running PAN-OS 11.0 and later you can actually configure end-user notifications about timeouts for GlobalProtect. I wouldn't necessarily recommend deploying 11 in production just yet, but maybe you could give them the notice that it'll at least be changing as soon as 11 is in a good spot.
As far as the 'Allow user to extend GlobalProtect User Session' option goes, while that will show in 10.2 and lower it won't have any affect. That option will only actually function on 11.0 and higher as far as I'm aware.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
